Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop bumping go directive unless necessitated by other dependencies #147

Open
kaovilai opened this issue Dec 24, 2024 · 1 comment
Open

Comments

@kaovilai
Copy link

@kaovilai ➜ /workspaces/sdk (961a644) $ go mod graph | grep [email protected] | cut -d ' ' -f 2
[email protected]
[email protected]
@kaovilai ➜ /workspaces/sdk (961a644) $ go mod graph | grep [email protected]. | grep -v /sdk | cut -d ' ' -f 2
[email protected]
[email protected]
[email protected]

Per above, this repo go.mod as it currently stands should have go directive of 1.23.2, not 1.23.3.

This repo by itself should not be enforcing minimum on other repositories importing it. Stop spreading "minimum virus"

toolchain version used will be defined outside of go.mod ideally, such as by installing a newer compatible go toolchain to ci/cd/development env.

Failing that, toolchain directive should be used instead of go directive for bumping versions to not cascade minimum versions to importing dependencies.

toolchain directive, in contrast to the go directive, applies only to the current module (the one defined by the go.mod file). It suggests the toolchain to be used when in that very module, and doesn't propagate to other modules.

High profile repos that have removed/reduced minimum go patch version per user requests

Being proactive to prevent following from reoccuring

@kaovilai
Copy link
Author

@kaovilai ➜ /workspaces/sdk (main) $ go get [email protected] [email protected] && go mod tidy && cat go.mod
go: downgraded go 1.23.3 => 1.23.2
go: added toolchain go1.23.4
...
module chainguard.dev/sdk

go 1.23.2

toolchain go1.23.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant